Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On Fri, 28 Aug 2020 15:21:53 +0100 RW wrote: > " WHERE ARE THE DATA FILES? > > For all of these, right click , then 'save as' - then later you can > set them up for frequent downloads (every minute!) using CURL or > WGET If anyone's using FreeBSD it's best to avoid fetch -m. fetch doesn't consider the file unmodified unless the sizes also match, and the server isn't providing the file size.
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On Fri, 28 Aug 2020 08:10:17 -0500 bwalton+1576874...@leepfrog.com wrote: > Thanks Rob! > > I've done an initial download of the data files and will use, as > requested, wget's timestamping flag. How, often do you expect these > files to be updated? Just trying to determine how often to check for > updates. > > Thanks, > Bryan " WHERE ARE THE DATA FILES? For all of these, right click , then 'save as' - then later you can set them up for frequent downloads (every minute!) using CURL or WGET - only using the setting that only downloads when the server versions are newer. "
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Thanks Rob! I've done an initial download of the data files and will use, as requested, wget's timestamping flag. How, often do you expect these files to be updated? Just trying to determine how often to check for updates. Thanks, Bryan
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On Tue, 25 Aug 2020, Rob McEwen wrote: On 8/25/2020 11:04 PM, John Hardin wrote: I just wrote something similar to generate a rule, in case for some reason you don't want to use a plugin. Let me know if there's any interest in it. yes - please share! http://www.impsec.org/~jhardin/antispam/make_sendgrid_rule.sh -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- There is no doubt in my mind that millions of lives could have been saved if the people were not "brainwashed" about gun ownership and had been well armed. ... Gun haters always want to forget the Warsaw Ghetto uprising, which is a perfect example of how a ragtag, half-starved group of Jews took 10 handguns and made asses out of the Nazis.-- Theodore Haas, Dachau survivor --- 2 days until Exercise Your Rights day
Re: ANNOUNCEMENT: The NEW invaluement 'Service Provider DNSBLs' - 1st one for Sendgrid-spams!
On Tue, August 25, 2020 23:07, Rob McEwen wrote:
> Thanks, John Capo, for the suggestions! Honestly, I'm at the end of my rope -
> completely burned
> out from creating this - desperately needing to catch up in other areas of my
> business so that I
> can pay my bills. And I have other ideas for how to make this data even
> better that I'm trying to
> get to asap. So help like this is very appreciated!
>
> BTW - does Postfix "know" to refresh the data when the files are updated? Or
> is there some kind
> of command that needs to run to tell Postfix to reload the files? How does
> that work?
Postfix loads regex files when a new smtpd instance is started. Running postfix
reload or running postmap on a hashed file forces a restart.
Ideally the ids would be in an RBL so changes are seen in a minute or so. I
pan on adding that capability to my policy server.
> ALSO - would it help if I created a separate set of files for Postfix that
> are pre-formatted this
> way already?
Dominic Raferd posted a script that does that. Your time is probably better
spent elsewhere.
And Paul Stead posted a nice plugin for Spamassassin.
John Capo
Tuffmail.com
>
> Thanks!
>
>
> Rob McEwen, invaluement.com
>
>
>
> On 8/25/2020 2:26 PM, John Capo wrote:
>
>> On 2020-08-25 11:42, Matus UHLAR - fantomas wrote:
>>
>>>
>>> well, do we have anything available now to block at SMTP level? - postfix
>>> policy server? -
>>> milter?
>>>
>>>
>>> so far I have noticed only SA plugins. Which is not bad, but that HUGE
>>> advantage is not
>>> usable now.
>>
>> Nothing elegant about this but it was easy to implement. You need to create
>> the software
>> specific to your MX servers to update the files below from Rob's web site.
>>
>> Adjust the paths below to your Postfix install
>>
>>
>> Add these entries to your main.cf:
>>
>>
>> smtpd_restriction_classes = sendgrid
>>
>>
>> # Limit senders that are matched with the regexes in sendgrid-ids # sendgrid
>> =
>> check_sender_access pcre:/usr/local/etc/postfix/maps/sendgrid-ids
>>
>>
>> smtpd_recipient_restrictions = check_sender_access
>> hash:/usr/local/etc/postfix/maps/from-sendgrid
>>
>>
>> Create a file like this from the senders in
>> https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt
>>
>>
>> sendgrid.net sendgrid appliedaicourse.com sendgrid bithumbcorp.email
>> sendgrid
>> bitline.life sendgrid bureausveritas.com sendgrid caractere.ro
>> sendgrid
>> craftsgenerals.com sendgrid dalvry.com sendgrid ...
>>
>>
>> Name it from-sendgrid and place it in your Postfix directory postmap
>> from-sendgrid
>>
>> Create a file like this from the ids in
>> https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt
>>
>>
>> /^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
>> account
>> /^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
>> account
>> /^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
>> account
>> /^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
>> account
>> /^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
>> account ...
>>
>>
>> Name it sendgrid-ids and place it in your Postfix directory
>>
>>
>> postfix reload
>>
>> John Capo Tuffmail.com
>>
>>
>
> -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
>
>
>
>
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Here's mine, had it running as a regular cron job for a few days now. On Wed, 26 Aug 2020 at 04:08, Rob McEwen wrote: > On 8/25/2020 11:04 PM, John Hardin wrote: > > I just wrote something similar to generate a rule, in case for some > > reason you don't want to use a plugin. Let me know if there's any > > interest in it. > > yes - please share! > spbl.sh Description: Binary data
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/25/2020 11:04 PM, John Hardin wrote: I just wrote something similar to generate a rule, in case for some reason you don't want to use a plugin. Let me know if there's any interest in it. yes - please share! -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Thanks, John Capo, for the suggestions! Honestly, I'm at the end of my
rope - completely burned out from creating this - desperately needing to
catch up in other areas of my business so that I can pay my bills. And I
have other ideas for how to make this data even better that I'm trying
to get to asap. So help like this is very appreciated!
BTW - does Postfix "know" to refresh the data when the files are
updated? Or is there some kind of command that needs to run to tell
Postfix to reload the files? How does that work? ALSO - would it help if
I created a separate set of files for Postfix that are pre-formatted
this way already?
Thanks!
Rob McEwen, invaluement.com
On 8/25/2020 2:26 PM, John Capo wrote:
On 2020-08-25 11:42, Matus UHLAR - fantomas wrote:
well, do we have anything available now to block at SMTP level?
- postfix policy server?
- milter?
so far I have noticed only SA plugins. Which is not bad, but that HUGE
advantage is not usable now.
Nothing elegant about this but it was easy to implement. You need to
create the software specific to your MX servers to update the files
below from Rob's web site.
Adjust the paths below to your Postfix install
Add these entries to your main.cf:
smtpd_restriction_classes =
sendgrid
# Limit senders that are matched with the regexes in sendgrid-ids
#
sendgrid =
check_sender_access pcre:/usr/local/etc/postfix/maps/sendgrid-ids
smtpd_recipient_restrictions =
check_sender_access hash:/usr/local/etc/postfix/maps/from-sendgrid
Create a file like this from the senders in
https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt
sendgrid.net sendgrid
appliedaicourse.com sendgrid
bithumbcorp.email sendgrid
bitline.life sendgrid
bureausveritas.com sendgrid
caractere.ro sendgrid
craftsgenerals.com sendgrid
dalvry.com sendgrid
...
Name it from-sendgrid and place it in your Postfix directory
postmap from-sendgrid
Create a file like this from the ids in
https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt
/^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised
Sendgrid account
/^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised
Sendgrid account
/^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised
Sendgrid account
/^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised
Sendgrid account
/^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised
Sendgrid account
...
Name it sendgrid-ids and place it in your Postfix directory
postfix reload
John Capo
Tuffmail.com
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On Tue, 25 Aug 2020, John Capo wrote:
Create a file like this from the ids in
https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt
/^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
...
I just wrote something similar to generate a rule, in case for some reason
you don't want to use a plugin. Let me know if there's any interest in it.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Today: the 1941st anniversary of the destruction of Pompeii
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 2020-08-25 11:42, Matus UHLAR - fantomas wrote:
well, do we have anything available now to block at SMTP level?
- postfix policy server?
- milter?
so far I have noticed only SA plugins. Which is not bad, but that HUGE
advantage is not usable now.
Nothing elegant about this but it was easy to implement. You need to
create the software specific to your MX servers to update the files
below from Rob's web site.
Adjust the paths below to your Postfix install
Add these entries to your main.cf:
smtpd_restriction_classes =
sendgrid
# Limit senders that are matched with the regexes in sendgrid-ids
#
sendgrid =
check_sender_access pcre:/usr/local/etc/postfix/maps/sendgrid-ids
smtpd_recipient_restrictions =
check_sender_access hash:/usr/local/etc/postfix/maps/from-sendgrid
Create a file like this from the senders in
https://www.invaluement.com/spdata/sendgrid-envelopefromdomain-dnsbl.txt
sendgrid.netsendgrid
appliedaicourse.com sendgrid
bithumbcorp.email sendgrid
bitline.lifesendgrid
bureausveritas.com sendgrid
caractere.rosendgrid
craftsgenerals.com sendgrid
dalvry.com sendgrid
...
Name it from-sendgrid and place it in your Postfix directory
postmap from-sendgrid
Create a file like this from the ids in
https://www.invaluement.com/spdata/sendgrid-id-dnsbl.txt
/^bounces\+2191708-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+4227563-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+13780591-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+10163588-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
/^bounces\+10180020-[0-9a-f]{4}-/ REJECT Phish from compromised Sendgrid
account
...
Name it sendgrid-ids and place it in your Postfix directory
postfix reload
John Capo
Tuffmail.com
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On Tue, Aug 25, 2020 at 08:29:55PM +0200, Benny Pedersen wrote: > Rob McEwen skrev den 2020-08-25 19:20: > > > PRO TIP: Instead of complaining about this problem on this thread - > > why not go to the discussion list or forum of your preferred MTA - and > > ask them to implement it? > > maybe make clamav sigs ? > > is mimedefang working still ?, special plugins needed ?, i just use > fuglu Mimedefang is still alive on a new home: https://github.com/The-McGrail-Foundation/MIMEDefang I think it should not be complicated to implement it. Giovanni
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/25/2020 2:29 PM, Benny Pedersen wrote: maybe make clamav sigs ? Benny, Thanks for your other suggestions - those are worth exploring. Also - the Clamav Sigs is not a bad idea - but even besides the fact that (like SA rules), Clamav is content filtering and not at the SMTP-Envelope level - Clamav doesn't tend to have nearly AS fast of a turnaround time as do DNSBLs. In a previous message, someone was disappointed that we missed one, and it turns out our 24-second turnaround time on that message (from the start of the SMTP connection - to being fully deployed in the data) was a contributing factor. We now have a plan to shorten that 24-seconds to about 4 seconds AND (for invaluement subscribers) - we have a "push" technology that is available now where those invaluement subscribers who opt for this feature (no extra charge!) - can get a split second notification to run their RSYNC just 1 second after the file updates - and we do that already for our direct query servers. So there is an option (once implemented!) to potentially get the these FULLY DISTRIBUTED within about 8 seconds from the start of the SMTP connection of the first such spam received - to being FULLY deployed on DNS servers (both our own direct query servers - and our RSYNC subscribers' internal rbldnsd servers) - that will be AMAZING. I expect to be there within a week from now. Something like clamav just can't even begin to compete with that fast of a turnaround. But ClamAv rules may still be a good way to get this implemented for many. Someone else mentioned one that was completely off of our radar - but we're about to double the coverage of these in terms of mailboxes and traps used for this purpose - so that will help further minimize our "blind spots". -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Rob McEwen skrev den 2020-08-25 19:20: PRO TIP: Instead of complaining about this problem on this thread - why not go to the discussion list or forum of your preferred MTA - and ask them to implement it? maybe make clamav sigs ? is mimedefang working still ?, special plugins needed ?, i just use fuglu
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Matus UHLAR - fantomas skrev den 2020-08-25 17:42: well, do we have anything available now to block at SMTP level? - postfix policy server? - milter? so far I have noticed only SA plugins. Which is not bad, but that HUGE advantage is not usable now. fuglu i reject highscore spams, just setup fuglu in prequeue with postfix
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/25/2020 1:20 PM, Rob McEwen wrote: but I can do everything, at least not all at once *can't do -- Rob McEwen https://www.invaluement.com
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/25/2020 11:42 AM, Matus UHLAR - fantomas wrote: well, do we have anything available now to block at SMTP level? - postfix policy server? - milter? so far I have noticed only SA plugins. Which is not bad, but that HUGE advantage is not usable now. And likewise - 48 hours ago - a SpamAssassin plugin didn't exist either! These things take at least a little bit of time. We're only at the 3rd business day that this tech has been in existence. But I think you and I would both be surprised at how many systems are likely already (quietly) using this at the SMTP-connection level, for certain more custom-programmed systems. I believe adaptation in other public MTAs is inevitable. For example, I have some good contacts at Exim and it's on my "to do" list to ask them about this, but I can do everything, at least not all at once. And those MTAs that don't enable usage of this will be left behind. PRO TIP: Instead of complaining about this problem on this thread - why not go to the discussion list or forum of your preferred MTA - and ask them to implement it? -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
--On Saturday, August 22, 2020 11:15 AM -0400 Jered Floyd wrote: Like most ISPs, they have a feedback loop to remove malicious users. I assume it is too slow, so a SendGrid account ID RBL would provide meaningful value. On 8/22/2020 3:35 PM, Kenneth Porter wrote: Would not Pyzor accomplish the same thing? Submit the SendGrid spam to Pyzor to quickly get it blacklisted. On 22.08.20 17:23, Rob McEwen wrote: sendgrid list can do the filtering at the SMTP-envelope level - BEFORE the message is even downloaded - for some systems with millions of users - that is a HUGE advantage. (2) being filterable at the SMTP-Envelope level opens up possibilities for things like MTA plugins or feature additions - that enable this filtering at the MTA level - for MTAs that do NOT try to do any content filtering of the message. That creates more options for deployment where many will hopefully be able to make use of this, who don't have Pyzor (for whatever reasons) well, do we have anything available now to block at SMTP level? - postfix policy server? - milter? so far I have noticed only SA plugins. Which is not bad, but that HUGE advantage is not usable now. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Hi Rob This works like a charm, blocking a lot of: bounces+8465718 atm. Thank you for your excellent plugin! Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
The following plugin extracts the SendGrid ID to a Tag, now we can use it with askdns.. https://github.com/fmbla/spamassassin-sendgrid Paul On Sun, 23 Aug 2020 at 20:42, Giovanni Bechis wrote: > On 8/21/20 9:28 PM, Rob McEwen wrote: > > ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one > for Sendgrid-spams! > > > > ...a collection of a new TYPE of DNSBL, with the FIRST of these having a > focus on Sendgrid-sent spams. AND - there is a FREE version of this - that > can be used NOW! (/well... might need a SpamAssassin rule or two! Your help > appreciated!)/: > > > SpamAssassin plugin available at: > https://github.com/bigio/spamassassin-esp/archive/esp-v0.1.tar.gz > > We will work on improving this new type of DNSBL with more data and more > features, stay tuned. > > Giovanni > > > INFO AND INSTRUCTIONS HERE: > > > > https://www.invaluement.com/serviceproviderdnsbl/ > > > > This provides a way to surgically block Sendgrid's WORST spammers, yet > without the massive collateral damage that would happen if blocking > Sendgrid domains and IP addresses. But we're NOT stopping at the phishes > and viruses - and we're not finished! There will be some well-deserved > economic pain, that puts the recipients' best interests at heart. > Therefore, flagrant "cold email" spamming to recipients who don't even know > the sender - is also being targeted - first with the absolute worst - and > then progressing to other offenders as we make adjustments in the coming > weeks. > > > > -- Rob McEwen https://www.invaluement.com > > > >
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/21/20 9:28 PM, Rob McEwen wrote: > ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for > Sendgrid-spams! > > ...a collection of a new TYPE of DNSBL, with the FIRST of these having a > focus on Sendgrid-sent spams. AND - there is a FREE version of this - that > can be used NOW! (/well... might need a SpamAssassin rule or two! Your help > appreciated!)/: > SpamAssassin plugin available at: https://github.com/bigio/spamassassin-esp/archive/esp-v0.1.tar.gz We will work on improving this new type of DNSBL with more data and more features, stay tuned. Giovanni > INFO AND INSTRUCTIONS HERE: > > https://www.invaluement.com/serviceproviderdnsbl/ > > This provides a way to surgically block Sendgrid's WORST spammers, yet > without the massive collateral damage that would happen if blocking Sendgrid > domains and IP addresses. But we're NOT stopping at the phishes and viruses - > and we're not finished! There will be some well-deserved economic pain, that > puts the recipients' best interests at heart. Therefore, flagrant "cold > email" spamming to recipients who don't even know the sender - is also being > targeted - first with the absolute worst - and then progressing to other > offenders as we make adjustments in the coming weeks. > > -- Rob McEwen https://www.invaluement.com >
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
- On Aug 22, 2020, at 3:35 PM, Kenneth Porter sh...@sewingwitch.com wrote: >> Like most ISPs, they have a feedback loop to remove malicious users. I >> assume it is too slow, so a SendGrid account ID RBL would provide >> meaningful value. > > Would not Pyzor accomplish the same thing? Submit the SendGrid spam to > Pyzor to quickly get it blacklisted. SA has multiple overlapping metrics. As long as they are not fully overlapping, each adds to spam/ham assurance. As Rob points out, it's also valuable to prioritize low-cost tests on inbound mail -- matching a sender ID is simpler than a message digest. --Jered
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/22/2020 3:35 PM, Kenneth Porter wrote: --On Saturday, August 22, 2020 11:15 AM -0400 Jered Floyd wrote: Like most ISPs, they have a feedback loop to remove malicious users. I assume it is too slow, so a SendGrid account ID RBL would provide meaningful value. Would not Pyzor accomplish the same thing? Submit the SendGrid spam to Pyzor to quickly get it blacklisted. (1) Pyzor requires resource-expensive content filtering - whereas the sendgrid list can do the filtering at the SMTP-envelope level - BEFORE the message is even downloaded - for some systems with millions of users - that is a HUGE advantage. (2) being filterable at the SMTP-Envelope level opens up possibilities for things like MTA plugins or feature additions - that enable this filtering at the MTA level - for MTAs that do NOT try to do any content filtering of the message. That creates more options for deployment where many will hopefully be able to make use of this, who don't have Pyzor (for whatever reasons) (3) The strategy you described is SOMETIMES easily defeated with certain variations in the messages, where each message is sufficiently different to NOT be blockable by Pyzor. That is a HUGE loophole in Pyzor technology. This Sendgrid ID list doesn't have that problem. (4) Also, a spammer who sends out many different types of spams - can potentially stay off of Pyzor's radar - but yet ALL of those spams under that Sendgrid ID - will be collectively noticed in our engine. And, likewise, Pyzor's methods could create a game of whack-a-mole. The spammer will just keep coming out with new types of spam - that all get past Pyzor while Pyzor tries to catch up - then Pyzor catches up - then the spammer just reformats the content. Rinse. Repeat. Meanwhile, ALL of those LATER spams are ALREADY blocked by our Sendgrid list BEFORE the next types of spams are sent - ALL OF THEM. (you could argue that we might get into a game of whack-a-mole too with those Sendgrid IDs - but we're FAR less vulnerable to that - it will happen MUCH LESS often!) (5) for these reasons and others - I strongly suspect that our Sendgrid list is going to have a MUCH faster turnaround time on listing the initial spams from a new sendgrid ID - and, as mentioned, their later spams will then ALREADY be caught by this Sendgrid list - while Pyzor is bogged down in that silly whack-a-mole game. Don't get me wrong - Pyzor and other such checksum content filters - are wonderful and have their place - but thinking that they remove the need for this Sendgrid list - is absolutely not even close to true. -- Rob McEwen https://www.invaluement.com +1 (478) 475-9032
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
--On Saturday, August 22, 2020 11:15 AM -0400 Jered Floyd wrote: Like most ISPs, they have a feedback loop to remove malicious users. I assume it is too slow, so a SendGrid account ID RBL would provide meaningful value. Would not Pyzor accomplish the same thing? Submit the SendGrid spam to Pyzor to quickly get it blacklisted.
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
- On Aug 21, 2020, at 10:37 PM, Philip Prindeville philipp_s...@redfish-solutions.com wrote: > I fail to see the point: that we do the work that sendgrid should be doing, > but > on a duplicative scale? > > Why don’t they police themselves? Presumably for the same reasons we filter spam at all. SendGrid is a (type of) ISP. Users sign up, and create and send content. Some of that content is spam. We want to block the spam, without blocking the entire ISP. Like most ISPs, they have a feedback loop to remove malicious users. I assume it is too slow, so a SendGrid account ID RBL would provide meaningful value. (The easiest way to consume this is surely as an DNS RBL?) --Jered
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Sendgrid and their likes... Checking 1 days logs for 1 domain, I see that of the 17 SendGrid mails to hit my antispam gateway, 17 of them were spam from 9 distinct senders. I can't deal with hunting spammers like that, giving a nice little score the spam tools that allow this kind of mass mailing without checks is the better approach IMO. M. Omer GOLGELI August 22, 2020 10:17 AM, "Benny Pedersen" wrote: > @lbutlr skrev den 2020-08-22 08:03: > >> On 21 Aug 2020, at 14:15, Benny Pedersen wrote: >>> blacklist_from *+14927644-* >> >> I think adding 5.0 to all sendgrid mail is the best idea I've heard. >> Sendgrid makes me long for the days of the SPEWS RBL. > > i am soon to be tired of it to add it to rpz in bind9
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
@lbutlr skrev den 2020-08-22 08:03: On 21 Aug 2020, at 14:15, Benny Pedersen wrote: blacklist_from *+14927644-* I think adding 5.0 to all sendgrid mail is the best idea I've heard. Sendgrid makes me long for the days of the SPEWS RBL. i am soon to be tired of it to add it to rpz in bind9
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 21 Aug 2020, at 14:15, Benny Pedersen wrote: > blacklist_from *+14927644-* I think adding 5.0 to all sendgrid mail is the best idea I've heard. Sendgrid makes me long for the days of the SPEWS RBL. -- These are the thoughts that kept me out of the really good schools. -- George Carlin
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
On 8/22/20 4:37 AM, Philip Prindeville wrote: On Aug 21, 2020, at 1:28 PM, Rob McEwen wrote: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! ...a collection of a new TYPE of DNSBL, with the FIRST of these having a focus on Sendgrid-sent spams. AND - there is a FREE version of this - that can be used NOW! (well... might need a SpamAssassin rule or two! Your help appreciated!): INFO AND INSTRUCTIONS HERE: https://www.invaluement.com/serviceproviderdnsbl/ This provides a way to surgically block Sendgrid's WORST spammers, yet without the massive collateral damage that would happen if blocking Sendgrid domains and IP addresses. But we're NOT stopping at the phishes and viruses - and we're not finished! There will be some well-deserved economic pain, that puts the recipients' best interests at heart. Therefore, flagrant "cold email" spamming to recipients who don't even know the sender - is also being targeted - first with the absolute worst - and then progressing to other offenders as we make adjustments in the coming weeks. I fail to see the point: that we do the work that sendgrid should be doing, but on a duplicative scale? Why don’t they police themselves? We’re effectively calling out spam that’s escaped after the fact. What’s the point of that? They should be scanning email as it leaves their infrastructure and using rules and Bayesian filters to know if something is amiss and they need to have human intervention. Nothing is stopping them from doing the right thing. Why should we enable their bad behavior? The point is to prevent Phish, Spearphish and other bad stuff, not just "spam" seems you're sort of late to the party... Get on board @ Mailop, SDLU, etc lists
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
> On Aug 21, 2020, at 1:28 PM, Rob McEwen wrote: > > ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for > Sendgrid-spams! > > ...a collection of a new TYPE of DNSBL, with the FIRST of these having a > focus on Sendgrid-sent spams. AND - there is a FREE version of this - that > can be used NOW! (well... might need a SpamAssassin rule or two! Your help > appreciated!): > > INFO AND INSTRUCTIONS HERE: > > https://www.invaluement.com/serviceproviderdnsbl/ > > This provides a way to surgically block Sendgrid's WORST spammers, yet > without the massive collateral damage that would happen if blocking Sendgrid > domains and IP addresses. But we're NOT stopping at the phishes and viruses - > and we're not finished! There will be some well-deserved economic pain, that > puts the recipients' best interests at heart. Therefore, flagrant "cold > email" spamming to recipients who don't even know the sender - is also being > targeted - first with the absolute worst - and then progressing to other > offenders as we make adjustments in the coming weeks. > I fail to see the point: that we do the work that sendgrid should be doing, but on a duplicative scale? Why don’t they police themselves? We’re effectively calling out spam that’s escaped after the fact. What’s the point of that? They should be scanning email as it leaves their infrastructure and using rules and Bayesian filters to know if something is amiss and they need to have human intervention. Nothing is stopping them from doing the right thing. Why should we enable their bad behavior?
Re: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
Rob McEwen skrev den 2020-08-21 21:28: ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! (1) Sendgrid IDs that are found OFTEN in the SMTP-ENVELOPE FROM address of Sendgrid-sent messages. EXAMPLE: So this THIS case, 14927644 is the ID. Nothing more. Nothing less. blacklist_from *+14927644-* untested but should work i just use this form blacklist_from *-rob=pvsys@sendgrid.net :-)
ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams!
ANNOUNCEMENT: The NEW invaluement "Service Provider DNSBLs" - 1st one for Sendgrid-spams! ...a collection of a new TYPE of DNSBL, with the FIRST of these having a focus on Sendgrid-sent spams. AND - there is a FREE version of this - that can be used NOW! (/well... might need a SpamAssassin rule or two! Your help appreciated!)/: INFO AND INSTRUCTIONS HERE: https://www.invaluement.com/serviceproviderdnsbl/ This provides a way to surgically block Sendgrid's WORST spammers, yet without the massive collateral damage that would happen if blocking Sendgrid domains and IP addresses. But we're NOT stopping at the phishes and viruses - and we're not finished! There will be some well-deserved economic pain, that puts the recipients' best interests at heart. Therefore, flagrant "cold email" spamming to recipients who don't even know the sender - is also being targeted - first with the absolute worst - and then progressing to other offenders as we make adjustments in the coming weeks. -- Rob McEwen https://www.invaluement.com
